Sec
596. A security engineer is hardening existing solutions to reduce application vulnerabilities. Which of the following solutions should the engineer implement FIRST? (Choose two.) · A. Auto-update · B. HTTP headers · C. Secure cookies · D. Tterm-72hird-party updates · E. Full disk encryption · F. Sandboxing · G. Hardware encryption
A. Auto-update F. Sandboxing Doesn't specify web app so it must be these.
681. Which of the following roles, according to the shared responsibility model, is responsible for securing the company's database in an IaaS model for a cloud environment? · A. Client · B. Third-party vendor · C. Cloud provider · D. OBA
A. Client
462. Which of the following incident response phases should the proper collection of the detected IoCs and establishment of a chain of custody be performed before? · A. Containment · B. Identification · C. Preparation · D. Recovery
A. Containment
$589. Which of the following must be considered when designing a high-availability network? (Choose two.) · A. Ease of recovery · B. Ability to patch · C. Physical isolation · D. Responsiveness · E. Attack surface · F. Extensible authentication
A. Ease of recovery D. Responsiveness
$371. A security analyst needs to implement an MDM solution for BYOD users that will allow the company to retain control over company emails residing on the devices and limit data exfiltration that might occur if the devices are lost or stolen. Which of the following would BEST meet these requirements? (Choose two.) · A. Full device encryption · B. Network usage rules · C. Geofencing · D. Containerization · E. Application approve list · F. Remote control
A. Full device encryption D. Containerization Most
552. A company's Chief Information Security Officer (CISO) recently warned the security manager that the company's Chief Executive Officer (CEO) is planning to publish a controversial opinion article in a national newspaper, which may result in new cyberattacks. Which of the following would be best for the security manager to use in a threat model? · A. Hacktivists · B. White-hat hackers · C. Script kiddies · D. Insider threats Hacktivists are individuals or groups of hackers who engage in hacking activities for ideological or political reasons. They may be motivated to launch cyberattacks in response to the CEO's article due to the controversial nature of its content. Including hacktivists in the threat model would help the security manager assess the potential risk posed by this group and develop appropriate mitigation strategies.
A. Hacktivists Hacktivists are individuals or groups of hackers who engage in hacking activities for ideological or political reasons. They may be motivated to launch cyberattacks in response to the CEO's article due to the controversial nature of its content. Including hacktivists in the threat model would help the security manager assess the potential risk posed by this group and develop appropriate mitigation strategies.
$372 A security administrator is evaluating remote access solutions for employees who are geographically dispersed. Which of the following would provide the MOST secure remote access? (Choose two.) · A. IPSec · B. SFTP · C. SRTP · D. LDAPS · E. S/MIME · F. SSL VPN
A. IPSec F. SSL VPN
563. A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would best prevent email contents from being released should another breach occur? · A. Implement S/MIME to encrypt the emails at rest. · B. Enable full disk encryption on the mail servers. · C. Use digital certificates when accessing email via the web. · D. Configure web traffic to only use TLS-enabled channels.
A. Implement S/MIME to encrypt the emails at rest. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a technology that provides end-to-end encryption for email messages. When S/MIME is implemented, email messages are encrypted while at rest on the email server, making it difficult for an attacker to access the content even if they gain unauthorized access to the mail servers. Therefore, implementing S/MIME to encrypt the emails at rest would be the best option to prevent email contents from being released in case of another breach.
A bakery has a secret recipe that it wants to protect. Which of the following objectives should be added to the company's security awareness training? · A. Insider threat detection · B. Risk analysis · C. Phishing awareness · D. Business continuity planning
A. Insider threat detection Plankton getting spongebob to steal the krabby patty formula...
$460. A network engineer receives a call regarding multiple LAN-connected devices that are on the same switch. The devices have suddenly been experiencing speed and latency issues while connecting to network resources. The engineer enters the command show mac address-table and reviews the following output:Which of the following best describes the attack that is currently in progress'? · A. MAC flooding · B. Evil twin · C. ARP poisoning · D. DHCP spoofing
A. MAC flooding
561. An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:• Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users.• Internal users in question were changing their passwords frequently during that time period.• A jump box that several domain administrator users use to connect to remote devices was recently compromised.• The authentication method used in the environment is NTLM.Which of the following types of attacks is most likely being used to gain unauthorized access? · A. Pass-the-hash · B. Brute-force · C. Directory traversal · D. Replay
A. Pass-the-hash Pass-the-hash is an attack technique used to gain access to a system by using the hash value of a user's password, rather than the actual password itself. This attack is particularly effective against systems using NTLM authentication, where the hash of a user's password can be captured and then reused to authenticate as that user without knowing the actual password.
658. A security analyst is performing a forensic investigation involving compromised account credentials. Using the Event Viewer, the analyst was able to detect the following message: "Special privileges assigned to new logon." Several of these messages did not have a valid logon associated with the user before these privileges were assigned. Which of the following attacks is MOST likely being detected? · A. Pass-the-hash · B. Buffer overflow · C. Cross-site scripting · D. Session replay
A. Pass-the-hash Buffer overflow = Memory XSS - involves scripts Session replay - replays a session but prev sessions did not have privileges which means it is A. Pass the Hash
405. If a current private key is compromised, which of the following would ensure it cannot be used to decrypt all historical data? · A. Perfect forward secrecy · B. Elliptic-curve cryptography · C. Key stretching · D. Homomorphic encryption
A. Perfect forward secrecy Perfect Forward Secrecy (PFS), also called forward secrecy (FS), refers to an encryption system that changes the keys used to encrypt and decrypt information frequently and automatically. This ongoing process ensures that even if the most recent key is hacked, a minimal amount of sensitive data is exposed.
389. A penetration tester executes the command crontab -l while working in a Linux server environment. The penetration tester observes the following string in the current user's list of cron jobs:*/10 * * * * root /writable/update.sh Which of the following actions should the penetration tester perform NEXT? · A. Privilege escalation · B. Memory leak · C. Directory traversal · D. Race condition
A. Privilege escalation
347. After installing a patch on a security appliance, an organization realized a massive data exfiltration had occurred. Which of the following BEST describes the incident? · A. Supply chain attack · B. Ransomware attack · C. Cryptographic attack · D. Password attack
A. Supply chain attack I suppose the reasonable explanation here is that you have to know what happened to Solar Winds. Code is part of the supply chain since its a component of the security appliance, made by devs and pushed into the product. If someone manages to compromize the developer and make then push code with vulnerability/virus in it, its a supply chain issue.
$639. A public relations team will be taking a group of guests on a tour through the facility of a large e- commerce company. The day before the tour, the company sends out an email to employees to ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying to protect against: · A. loss of proprietary information. · B. damage to the company's reputation. · C. social engineering. · D. credential exposure.
A. loss of proprietary information.
381. Users report access to an application from an internal workstation is still unavailable to a specific server, even after a recent firewall rule implementation that was requested for this access. ICMP traffic is successful between the two devices. Which of the following tools should the security analyst use to help identify if the traffic is being blocked? · A. nmap · B. tracert · C. ping · D. ssh
A. nmap nmap is a network exploration and security auditing tool that can be used to identify open ports and services on a remote host. It can also be used to determine if a particular port is being blocked by a firewall. By using nmap to scan the server that the users are attempting to access, the security analyst can determine if the firewall rule implementation was successful and if the necessary port is open and available.
407. Which of the following scenarios BEST describes a risk reduction technique? · A. A security control objective cannot be met through a technical change, so the company purchases insurance and is no longer concerned about losses from data breaches. · B. A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation. · C. A security control objective cannot be met through a technical change, so the company performs regular audits to determine if violations have occurred. · D. A security control objective cannot be met through a technical change, so the Chief Information Officer decides to sign off on the risk.
B. A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation. A is transference. B is mitigation. C is detection. D is acceptance. The only answer reducing risk is B.
527. Which of the following mitigation techniques places devices in physically or logically separated networks and leverages policies to limit the types of communications that are allowed? · A. Host-based firewalls · B. Access control list · C. Port security · D. Least privilege
B. Access control list
484. Security analysts have noticed the network becomes flooded with malicious packets at specific times of the day. Which of the following should the analysts use to investigate this issue? · A. Web metadata · B. Bandwidth monitors · C. System files · D. Correlation dashboards
B. Bandwidth monitors Bandwidth monitors can be used to capture network traffic and identify any unusual traffic patterns, such as a spike in traffic during specific times of the day. This can help security analysts investigate and identify any potential malicious activity. Web metadata is not likely to be useful in investigating network traffic, system files are typically used to troubleshoot and diagnose system issues, and correlation dashboards are used to analyze and present data from multiple sources in a single view.
$679. A company recently experienced a significant data loss when proprietary information was leaked to a competitor. The company took special precautions by using proper labels; however, email filter logs do not have any record of the incident. An investigation confirmed the corporate network was not breached, but documents were downloaded from an employee's COPE tablet and passed to the competitor via cloud storage. Which of the following is the best mitigation strategy to prevent this from happening in the future? · A. User training · B. CASB · C. MDM · D. EDR
B. CASB Similar to 137. 137 says remediation and answer is DLP. This one is Mitigation and answer is CASB.
$656. The cost of removable media and the security risks of transporting data have become too great for a laboratory. The laboratory has decided to interconnect with partner laboratories to make data transfers easier and more secure. The Chief Security Officer (CSO) has several concerns about proprietary data being exposed once the interconnections are established. Which of the following security features should the network administrator implement to prevent unwanted data exposure to users in partner laboratories? · A. VLAN zoning with a file-transfer server in an external-facing zone · B. DLP running on hosts to prevent file transfers between networks · C. NAC that permits only data-transfer agents to move data between networks · D. VPN with full tunneling and NAS authenticating through the Active Directory
B. DLP running on hosts to prevent file transfers between networks READ THE ENTIRE QUESTION!
378. An organization is outlining data stewardship roles and responsibilities. Which of the following employee roles would determine the purpose of data and how to process it? · A. Data custodian · B. Data controller · C. Data protection officer · D. Data processor
B. Data controller Data Controller: manages the purpose and means by which personal data is processed.
637. Which of the following allows for functional test data to be used in new systems for testing and training purposes to protect the real data? · A. Data encryption · B. Data masking · C. Data deduplication · D. Data minimization
B. Data masking
$466. Which of the following rales is responsible for defining the protection type and classification type for a given set of files? · A. General counsel · B. Data owner · C. Risk manager · D. Chief Information Officer
B. Data owner
603. A large bank with two geographically dispersed data centers is concerned about major power disruptions at both locations. Every day each location experiences very brief outages that last for a few seconds. However, during the summer a high risk of intentional under-voltage events that could last up to an hour exists, particularly at one of the locations near an industrial smelter. Which of the following is the best solution to reduce the risk of data loss? · A. Dual supply · B. Generator · C. PDU · D. Daily backups
B. Generator Same as Q 159 but ups is not present so this one is Generator!
584. A security professional wants to enhance the protection of a critical environment that is used to store and manage a company's encryption keys. The selected technology should be tamper resistant. Which of the following should the security professional implement to achieve the goal? · A. DLP · B. HSM · C. CA · D. FIM
B. HSM HSM is only choice that stores keys
$593. An analyst is working on an email security incident in which the target opened an attachment containing a worm. The analyst wants to implement mitigation techniques to prevent further spread. Which of the following is the best course of action for the analyst to take? · A. Apply a DLP solution · B. Implement network segmentation · C. Utilize email content filtering. · D. Isolate the infected attachment
B. Implement network segmentation Further spread means it has already spread some. SO... network segmentation is best.
$644. A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery? · A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis. · B. Restrict administrative privileges and patch all systems and applications. · C. Rebuild all workstations and install new antivirus software. · D. Implement application whitelisting and perform user application hardening.
B. Restrict administrative privileges and patch all systems and applications
$376. Which of the following is the BEST reason to maintain a functional and effective asset management policy that aids in ensuring the security of an organization? · A. To provide data to quantify risk based on the organization's systems · B. To keep all software and hardware fully patched for known vulnerabilities · C. To only allow approved, organization-owned devices onto the business network · D. To standardize by selecting one laptop model for all users in the organization
B. To keep all software and hardware fully patched for known vulnerabilities From CompTIA book : Asset Management: Asset management is the policies and processes used to manage the elements of the system, including hardware, SOFTWARE , and the data that is contained within them. In order to secure a system, one must have some form of control over these assets, and asset management involves the processes employed to keep the enterprise in positive control over these valuable items. Failure to control hardware can result in rogue network devices or computers accessing systems. Failure to control software can result in system-level vulnerabilities granting attackers free reign over a system and its data. Failure to control the data assets can result in many forms of failure. This makes asset management one of the most important aspects of security, and it is ranked at the top of virtually every standard list of controls.
451. A small, local company experienced a ransomware attack. The company has one web-facing server and a few workstations. Everything is behind an ISP firewall. A single web-facing server is set up on the router to forward all polls so that the server is viewable from the internet. The company uses an older version of third-party software to manage the website. The assets were never patched. Which of the following should be done to prevent an attack like this from happening again? (Choose three.) · A. install DLP software to prevent data loss · B. Use the latest version of software · C. Install a SIEM device · D. Implement MDM · E. Implement a screened subnet for the web server · F. Install an endpoint security solution · G. Update the website certificate and revoke the existing ones · H. Deploy additional network sensors
B. Use the latest version of software E. Implement a screened subnet for the web server F. Install an endpoint security solution B. Use the latest version of software: Using the latest version of software will help to patch any vulnerabilities that may exist in older versions of the software. E. Implement a screened subnet for the web server: A screened subnet, or demilitarized zone (DMZ), can be used to isolate the web-facing server from the internal network and to restrict inbound and outbound traffic. F. Install an endpoint security solution: An endpoint security solution can help to protect workstations from malware and ransomware attacks. To protect specific devices like servers and workstations from malware end point security solutions should be used.
$519. Which of the following methods is the most effective for reducing vulnerabilities? · A. Joining an information-sharing organization · B. Using a scan-patch-scan process · C. Implementing a bug bounty program · D. Patching low-scoring vulnerabilities first
B. Using a scan-patch-scan process
$623. Users have been issued smart cards that provide physical access to a building. The cards also contain tokens that can be used to access information systems. Users can log in to any thin client located throughout the building and see the same desktop each time. Which of the following technologies are being utilized to provide these capabilities? (Choose two.) · A. COPE · B. VDI · C. GPS · D. TOTP · E. RFID · F. BYOD
B. VDI E. RFID
649. A software developer needs to perform code-execution testing, black-box testing, and non- functional testing on a new product before its general release. Which of the following BEST describes the tasks the developer is conducting? · A. Verification · B. Validation · C. Normalization · D. Staging
B. Validation
660. As company uses wireless for all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring? · A. A BPDU guard · B. WPA-EAP · C. IP filtering · D. A WIDS
B. WPA-EAP By using WPA-EAP if would allow the use for an authenticator like RADIUS. This would allow users and roles/groups to be created so if someone did brute force into the network they would at minimum have additional steps to take to escalate privileges etc to wreak havoc in the system compared to a PSK. An IDS of any type only detects, it does not prevent.
$673. A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate devices using PKI. Which of the following should the administrator configure? · A. A captive portal · B. PSK · C. 802.1X · D. WPS
C. 802.1X
$688. Which of the following best describes a use case for a DNS sinkhole? · A. Attackers can see a DNS sinkhole as a highly valuable resource to identify a company's domain structure. · B. A DNS sinkhole can be used to draw employees away from known-good websites to malicious ones owned by the attacker. · C. A DNS sinkhole can be used to capture traffic to known-malicious domains used by attackers. · D. A DNS sinkhole can be set up to attract potential attackers away from a company's network resources.
C. A DNS sinkhole can be used to capture traffic to known-malicious domains used by attackers.
414. An organization needs to implement more stringent controls over administrator/root credentials and service accounts. Requirements for the project include:• Check-in/checkout of credentials• The ability to use but not know the password• Automated password changes• Logging of access to credentialsWhich of the following solutions would meet the requirements? · A. OAuth 2.0 · B. Secure Enclave · C. A privileged access management system · D. An OpenID Connect authentication system
C. A privileged access management system A privileged access management system would meet the requirements. A privileged access management (PAM) system is a security solution that provides centralized control over the use of privileged accounts. It allows organizations to manage and monitor the use of privileged accounts, including administrator/root credentials and service accounts. PAM solutions typically include features such as check-in/checkout of credentials, the ability to use but not know the password, automated password changes, and logging of access to credentials.
664. A security engineer at an offline government facility is concerned about the validity of an SSL certificate. The engineer wants to perform the fastest check with the least delay to determine if the certificate has been revoked. Which of the following would BEST meet these requirements? · A. RA · B. OCSP · C. CRL Most Voted · D. CSR
C. CRL KEYWORD = OFFLINE which makes it CRL!! (offline eliminates OCSP)
$453. Which of the following roles would most likely have direct access to the senior management team? · A. Data custodian · B. Data owner · C. Data protection officer · D. Data controller
C. Data protection officer Data Owner = management so the DPO is most likely to have direct access to them.
465. Which of the following documents specifies what to do in the event of catastrophic loss of a physical or virtual system? · A. Data retention plan · B. Incident response plan · C. Disaster recovery plan · D. Communication plan
C. Disaster recovery plan
662. A network administrator would like to configure a site-to-site VPN utilizing IPSec. The administrator wants the tunnel to be established with data integrity, encryption, authentication, and anti-replay functions. Which of the following should the administrator use when configuring the VPN? · A. AH · B. EDR · C. ESP · D. DNSSEC
C. ESP A. AH (Authentication Header) provides authentication and data integrity but does not offer encryption or anti-replay protection. It does not encrypt the payload. B. EDR (Endpoint Detection and Response) is a security technology used for detecting and responding to advanced threats and breaches on endpoints (computers and servers). It's not related to configuring VPNs. C. ESP (Encapsulating Security Payload) is the correct choice for a site-to-site VPN when you need encryption, authentication, data integrity, and anti-replay protection. D. DNSSEC (Domain Name System Security Extensions) is used to add security to the DNS by providing authentication and data integrity for DNS data. It's not directly related to configuring VPNs with the specified requirements.
$630. Which of the following threat vectors would appear to be the most legitimate when used by a malicious actor to impersonate a company? · A. Phone call · B. Instant message · C. Email · D. Text message
C. Email
618. Which of the following ISO standards is certified for privacy? · A. ISO 9001 · B. ISO 27002 · C. ISO 27701 · D. ISO 31000
C. ISO 27701
475. A security administrator is integrating several segments onto a single network. One of the segments, which includes legacy devices, presents a significant amount of risk to the network. Which of the follow ng would allow users to access to the legacy devices without compromising the security of the entire network? · A. NIDS · B. MAC filtering · C. Jump server · D. IPSec · E. NAT gateway
C. Jump server
674. A security analyst is reviewing the following attack log output:Which of the following types of attacks does this MOST likely represent? · A. Rainbow table · B. Brute-force · C. Password-spraying · D. Dictionary
C. Password-spraying Password spraying simply means trying the same password with different accounts.
$382. As part of annual audit requirements, the security team performed a review of exceptions to the company policy that allows specific users the ability to use USB storage devices on their laptops. The review yielded the following results:• The exception process and policy have been correctly followed by the majority of users.• A small number of users did not create tickets for the requests but were granted access.• All access had been approved by supervisors.• Valid requests for the access sporadically occurred across multiple departments.• Access, in most cases, had not been removed when it was no longer needed.Which of the following should the company do to ensure that appropriate access is not disrupted but unneeded access is removed in a reasonable time frame? · A. Create an automated, monthly attestation process that removes access if an employee's supervisor denies the approval. · B. Remove ac
C. Perform a quarterly audit of all user accounts that have been granted access and verify the exceptions with the management team.
624. A security engineer needs to implement an MDM solution that complies with the corporate mobile device policy. The policy states that in order for mobile users to access corporate resources on their devices, the following requirements must be met:• Mobile device OSs must be patched up to the latest release.• A screen lock must be enabled (passcode or biometric).• Corporate data must be removed if the device is reported lost or stolen.Which of the following controls should the security engineer configure? (Choose two.) · A. Containerization · B. Storage segmentation · C. Posturing · D. Remote wipe · E. Full-device encryption · F. Geofencing
C. Posturing D. Remote wipe Posturing checks to verify that mobile devices comply with the policy's requirements, such as having an up-to-date OS and enabling a screen lock.
431. Cloud security engineers are planning to allow and deny access to specific features in order to increase data security. Which of the following cloud features is the most appropriate to ensure access is granted properly? · A. API integrations · B. Auditing · C. Resource policies · D. Virtual networks
C. Resource policies Resource policies in cloud security are used to govern access and permissions for specific cloud resources, such as virtual machines, storage accounts, and databases. These policies allow cloud security engineers to define rules that control access and actions on these resources, ensuring that only authorized users and systems can interact with them. Resource policies are commonly used in cloud environments to enforce security controls and compliance requirements, such as restricting access to sensitive data, enforcing encryption, or enforcing geographic data residency rules. These policies are enforced at the cloud provider level, meaning that the access controls and permissions are managed by the cloud provider rather than by individual users or organizations.
440. A company recently enhanced mobile device configuration by implementing a set of security controls biometrics context-aware authentication and full device encryption. Even with these settings in place, an unattended phone was used by a malicious actor to access corporate data. Which of the following additional controls should be put in place first? · A. GPS tagging · B. Remote wipe · C. Screen lock timer · D. SEAndroid
C. Screen lock timer C is an access control and something that should be implemented no matter what as a first line of defense in this scenario.
600. An administrator identifies some locations on the third floor of the building that have a poor wireless signal Multiple users confirm the incident and report it is not an isolated event. Which of the following should the administrator use to find the areas with a poor or non-existent wireless signal? · A. Heat map · B. Input validation · C. Site survey · D. Embedded systems
C. Site survey Don't overthink it. Site Survey would take everything in environment into consideration. Could be useful as maybe interference is now present from a new device being present that wasn't there originally when setting up network.
$547. A security analyst is investigating a malware incident at a company. The malware is accessing a command-and-control website at www.comptia.com. All outbound Internet traffic is logged to a syslog server and stored in /logfiles/messages. Which of the following commands would be best for the analyst to use on the syslog server to search for recent traffic to the command-and-control website? · A. head -500 www.comptia.com | grep /logfiles/messages · B. cat /logfiles/messages | tail -500 www.comptia.com · C. tail -500 /logfiles/messages | grep www.comptia.com · D. grep -500 /logfiles/messages | cat www.comptia.com
C. tail -500 /logfiles/messages | grep www.comptia.com
550. A systems administrator receives the following alert from a file integrity monitoring tool:The hash of the cmd.exe file has changed.The systems administrator checks the OS logs and notices that no patches were applied in the last two months. Which of the following most likely occurred? · A. The end user changed the file permissions. · B. A cryptographic collision was detected. · C. A snapshot of the file system was taken. · D. A rootkit was deployed.
D. A rootkit was deployed. When a file integrity monitoring tool detects a change in the hash of a critical system file like "cmd.exe," it could indicate that a rootkit has been deployed. Rootkits are malicious software designed to hide their presence on a system by modifying critical files and processes, including system utilities like "cmd.exe." By changing the hash of the file, the rootkit aims to evade detection by security tools that rely on file integrity checks. Rootkits often have the capability to tamper with system logs and other monitoring mechanisms, making them difficult to detect using traditional methods.
$505. A customer called a company's security team to report that all invoices the customer has received over the last five days from the company appear to have fraudulent banking details. An investigation into the matter reveals the following:• The manager of the accounts payable department is using the same password across multiple external websites and the corporate account.• One of the websites the manager used recently experienced a data breach.• The manager's corporate email account was successfully accessed in the last five days by an IP address located in a foreign country.Which of the following attacks has most likely been used to compromise the manager's corporate account? · A. Remote access Trojan · B. Brute-force · C. Dictionary · D. Credential stuffing · E. Password spraying
D. Credential stuffing "Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts"
392. An organization's Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect data, including ensuring backups are properly maintained. Which of the following roles would MOST likely include these responsibilities? · A. Data protection officer · B. Data owner · C. Backup administrator · D. Data custodian · E. Internal auditor
D. Data custodian Data Custodian Manages Backups/Technical Controls
610. Which of the following are the MOST likely vectors for the unauthorized or unintentional inclusion of vulnerable code in a software company's final software releases? (Choose two.) · A. Unsecure protocols · B. Use of penetration-testing utilities · C. Weak passwords · D. Included third-party libraries · E. Vendors/supply chain · F. Outdated anti-malware software
D. Included third-party libraries E. Vendors/supply chain
$620. A security analyst needs to be proactive in understanding the types of attacks that could potentially target the company's executives. Which of the following intelligence sources should the security analyst review? · A. Vulnerability feeds · B. Trusted automated exchange of indicator information · C. Structured threat information expression · D. Industry information-sharing and collaboration groups
D. Industry information-sharing and collaboration groups
422. A systems engineer thinks a business system has been compromised and is being used to exfiltrate data to a competitor. The engineer contacts the CSIRT. The CSIRT tells the engineer to immediately disconnect the network cable and to not do anything else. Which of the following is the most likely reason for this request? · A. The CSIRT thinks an insider threat is attacking the network. · B. Outages of business-critical systems cost too much money. · C. The CSIRT does not consider the systems engineer to be trustworthy. · D. Memory contents, including fileless malware, are lost when the power is turned off.
D. Memory contents, including fileless malware, are lost when the power is turned off. They want to contain the system to limit access and then investigate. If he turns off the computer they will lose the volatile memory system info.
$627. A network administrator needs to build out a new datacenter, with a focus on resiliency and uptime. Which of the following would BEST meet this objective? (Choose two.) · A. Dual power supply Most Vote · B. Off-site backups · C. Automatic OS upgrades · D. NIC teaming · E. Scheduled penetration testing · F. Network-attached storage
D. NIC teaming
$608. An organization experiences a cybersecurity incident involving a command-and-control server. Which of the following logs should be analyzed to identify the impacted host? (Choose two.) · A. Application · B. Authentication · C. Error · D. Network · E. Firewall · F. System
D. Network E. Firewall Review this. Was shaky on 2nd choice.
$424. Which of the following should customers who are involved with UI developer agreements be concerned with when considering the use of these products on highly sensitive projects? · A. Weak configurations · B. Integration activities · C. Unsecure user accounts · D. Outsourced code development
D. Outsourced code development
445. A security architect is working on an email solution that will send sensitive data. However, funds are not currently available in the budget for building additional infrastructure. Which of the following should the architect choose? · A. POP · B. IPSec · C. IMAP · D. PGP
D. PGP PGP is short for Pretty Good Privacy, a security program that enables users to communicate securely by decrypting and encrypting messages, authenticating messages through digital signatures, and encrypting files. It was one of the first freely available forms of public-key cryptography software.
439. Which of the following can be used to detect a hacker who is stealing company data over port 80? · A. Web application scan · B. Threat intelligence · C. Log aggregation · D. Packet capture
D. Packet capture To steal data over HTTP (Port 80) the hacker would use a packet sniffer/capture tool since port 80 is not encrypted.
404. Which of the following secure application development concepts aims to block verbose error messages from being shown in a user's interface? · A. OWASP · B. Obfuscation/camouflage · C. Test environment · D. Prevention of information exposure
D. Prevention of information exposure
508. A security analyst is taking part in an evaluation process that analyzes and categorizes threat actors of real-world events in order to improve the incident response team's process. Which of the following is the analyst most likely participating in? · A. MITRE ATT&CK · B. Walk-through · C. Red team · D. Purple team · E. TAXII
D. Purple team MITTRE ATT&CK is a framework, you cannot participate in a framework. You can follow framework, you can work by framework guidelines, but you cannot participate in a framework A purple team is a group of cyber security professionals who simulate malicious attacks and penetration testing in order to identify security vulnerabilities and recommend remediation strategies for an organization's IT infrastructure. The term is derived from the color purple, which symbolizes the combination of both red and blue teams. Unlike traditional red team/blue teams, which are usually separate entities, the purple team works in close coordination, sharing information and insights in order to address acute weaknesses and improve the organization's overall security posture.
665. A security administrator needs to create a RAID configuration that is focused on high read speeds and fault tolerance. It is unlikely that multiple drives will fail simultaneously. Which of the following RAID configurations should the administrator use? · A. RAID 0 · B. RAID 1 · C. RAID 5 · D. RAID 10
D. RAID 10
537. A critical file server is being upgraded, and the systems administrator must determine which RAID level the new server will need to achieve parity and handle two simultaneous disk failures. Which of the following RAID levels meets this requirement? · A. RAID 0+1 · B. RAID 2 · C. RAID 5 · D. RAID 6
D. RAID 6
$587. Which of the following agreements defines response time, escalation points, and performance metrics? · A. BPA · B. MOA · C. NDA · D. SLA
D. SLA Got it right but need to review. BPA = Business Partnership Agreement
595. Which of the following can be used to calculate the total loss expected per year due to a threat targeting an asset? · A. EF x asset value · B. ALE / SLE · C. MTBF x impact · D. SLE x ARO
D. SLE x ARO
429. A security architect is designing a remote access solution for a business partner. The business partner needs to access one Linux server at the company. The business partner wants to avoid managing a password for authentication and additional software installation. Which of the following should the architect recommend? · A. Soft token · B. Smart card · C. CSR · D. SSH key
D. SSH key D- An SSH key is an access credential in the SSH protocol. Its function is similar to that of user names and passwords, but the keys are primarily used for automated processes and for implementing single sign-on by system administrators and power users.
648. The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve security in the environment and protect patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have not been provided to frontline staff, and a risk analysis has not been performed. Which of the following is the MOST likely cause of the CRO's concerns? · A. SSO would simplify username and password management, making it easier for hackers to guess accounts. · B. SSO would reduce password fatigue, but staff would still need to remember more complex passwords. · C. SSO would reduce the password complexity for frontline staff. · D. SSO would reduce the resilience and availability of systems if the identity provider goes offline.
D. SSO would reduce the resilience and availability of systems if the identity provider goes offline.
515. A company's help desk received several AV alerts indicating Mimikatz attempted to run on the remote systems. Several users also reported that the new company flash drives they picked up in the break room only have 512KB of storage. Which of the following is most likely the cause? · A. The GPO prevents the use of flash drives, which triggers a false positive AV indication and restricts the drives to only 512KB of storage. · B. The new flash drives need a driver that is being blocked by the AV software because the flash drives are not on the application's allow list, temporarily restricting the drives to 512KB of storage. · C. The new flash drives are incorrectly partitioned, and the systems are automatically trying to use an unapproved application to repartition the drives. · D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials f
D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory. Mimikatz is a tool that is commonly used by hackers and security professionals to extract sensitive information, such as passwords and credentials, from a system's memory. The flash drive most likely has a malicious code that is trying to execute Mimikatz do dump credentials from memory.
476. Which of the following would a security analyst use to determine if other companies in the same sector have seen similar malicious activity against their systems? · A. Vulnerability scanner · B. Open-source intelligence · C. Packet capture · D. Threat feeds
D. Threat feeds
375. A network administrator needs to determine the sequence of a server farm's logs. Which of the following should the administrator consider? (Choose two.) · A. Chain of custody · B. Tags · C. Reports · D. Time stamps · E. Hash values · F. Time offset
D. Time stamps F. Time offset Time stamps: Logs typically contain time stamps that indicate when events occurred. The administrator can use these time stamps to establish the chronological order of the logs and understand the sequence of events. Time offset: In a distributed environment or when logs are collected from different servers or time zones, it's important to account for time offsets. The administrator should consider any time differences between servers and adjust the logs accordingly to ensure accurate sequencing.
355. A company is switching to a remote work model for all employees. All company and employee resources will be in the cloud. Employees must use their personal computers to access the cloud computing environment. The company will manage the operating system. Which of the following deployment models is the company implementing? · A. CYOD · B. MDM · C. COPE · D. VDI
D. VDI
675. An organization has hired a security analyst to perform a penetration test. The analyst captures 1Gb worth of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to further review the pcap? · A. Nmap · B. cURL · C. Netcat · D. Wireshark
D. Wireshark
636. A security analyst is investigating an incident that was first reported as an issue connecting to network shares and the Internet. While reviewing logs and tool output, the analyst sees the following:Which of the following attacks has occurred? · A. IP conflict · B. Pass-the-hash · C. MAC flooding · D. Directory traversal · E. ARP poisoning
E. ARP poisoning Someone changed their ip to be the same as the gateway or router so traffic will be redirected = Arp poisoning.
540. A security engineer is concerned about using an agent on devices that relies completely on defined known-bad signatures. The security engineer wants to implement a tool with multiple components including the ability to track, analyze, and monitor devices without reliance on definitions alone. Which of the following solutions best fits this use case? · A. EDR · B. DLP · C. NGFW · D. HIPS
· A. EDR Endpoint Detection and Response (EDR) is a solution that provides continuous monitoring, analysis, and response capabilities on endpoints (devices) in an organization's network. Unlike traditional antivirus solutions that rely on known-bad signatures, EDR solutions use behavior-based analysis and heuristics to detect and respond to potential threats. EDR tools collect and analyze endpoint data in real-time, allowing security teams to identify suspicious activities, detect anomalous behavior, and respond to security incidents. They can detect and block various types of threats, including malware, ransomware, zero-day exploits, and fileless attacks, without solely relying on known signatures.
377. A security administrator, who is working for a government organization, would like to utilize classification and granular planning to secure top secret data and grant access on a need-to-know basis. Which of the following access control schemas should the administrator consider? · A. Mandatory · B. Rule-based · C. Discretionary · D. Role-based
· A. Mandatory Mandatory Access Control (MAC) In a MAC system, an operating system provides individual users with access based on data confidentiality and levels of user clearance. MAC is the strictest of all models. Access is granted on a strict, need-to-know basis. Users must prove they need the requested information or access before gaining permission.
480. A security administrator would like to ensure all cloud servers will have software preinstalled for facilitating vulnerability scanning and continuous monitoring. Which of the following concepts should the administrator utilize? · A. Provisioning · B. Staging · C. Staging · D. Quality assurance
· A. Provisioning Provisioning is the process of setting up IT infrastructure and resources, which includes installing and configuring the necessary software and tools on servers to meet the security requirements of the organization. By ensuring that all cloud servers have software preinstalled for vulnerability scanning and continuous monitoring, the administrator can help to ensure that all servers meet the security standards of the organization and reduce the risk of security incidents.
$357. The Chief Executive Officer announced a new partnership with a strategic vendor and asked the Chief Information Security Officer to federate user digital identities using SAML-based protocols. Which of the following will this enable? · A. SSO · B. MFA · C. PKI D. DLP
· A. SSO
502. A company's help desk has received calls about the wireless network being down and users being unable to connect to it. The network administrator says all access points are up and running. One of the help desk technicians notices the affected users are working in a building near the parking lot. Which of the following is the most likely reason for the outage? · A. Someone near the building is jamming the signal. · B. A user has set up a rogue access point near the building. · C. Someone set up an evil twin access point in the affected area. · D. The APs in the affected area have been unplugged from the network.
· A. Someone near the building is jamming the signal.
$365. The marketing department at a retail company wants to publish an internal website to the internet so it is reachable by a limited number of specific, external service providers in a secure manner. Which of the following configurations would be BEST to fulfil this requirement? · A. NAC · B. ACL · C. WAF · D. NAT
· B. ACL
$443. A cybersecurity analyst at Company A is working to establish a secure communication channel with a counterpart at Company B, which is 3,000 miles (4,828 kilometers) away. Which of the following concepts would help the analyst meet this goal in a secure manner? · A. Digital signatures · B. Key exchange · C. Salting · D. PPTP
· B. Key exchange
529. Which of the following best describes why a company would erase a newly purchased device and install its own image with an operating system and applications? · A. Installing a new operating system thoroughly tests the equipment · B. Removing unneeded applications reduces the system's attack surface · C. Reimaging a system creates an updated baseline of the computer image · D. Wiping the device allows the company to evaluate its performance
· B. Removing unneeded applications reduces the system's attack surface The image was/is already being used so applying it will not change the baseline so it must be B.
$449. Which of the following biometric authentication methods is the most accurate? · A. Gait · B. Retina · C. Signature · D. Voice
· B. Retina
458. A Chief Information Security Officer (CISO) wants to implement a new solution that can protect against certain categories of websites whether the employee is in the office or away. Which of the following solutions should the CISO implement? · A. WAF · B. SWG · C. VPN · D. HIDS
· B. SWG WAF primarily focuses on protecting the web application against application layer attacks (SQLi,XSS,CSRF,SSRF etc), not controlling or filtering access to external websites based on categories. Secure Web Gateway (SWG) on the other hand, are specifically designed to enforce web access policies and control what websites users can access.
370. An engineer wants to inspect traffic to a cluster of web servers in a cloud environment. Which of the following solutions should the engineer implement? · A. CASB · B. WAF · C. Load balancer · D. VPN
· B. WAF
517. An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate data center that houses confidential information. There is a firewall at the internet border, followed by a DLP appliance, the VPN server, and the data center itself. Which of the following is the weakest design element? · A. The DLP appliance should be integrated into a NGFW. · B. Split-tunnel connections can negatively impact the DLP appliance's performance. · C. Encrypted VPN traffic will not be inspected when entering or leaving the network. · D. Adding two hops in the VPN tunnel may slow down remote connections.
· C. Encrypted VPN traffic will not be inspected when entering or leaving the network. VPNs need to be on the exterior so that the other devices like the Firewall and DLP and see the actual info (Non Encrypted) to make decisions appropriately.
538. A company must ensure sensitive data at rest is rendered unreadable. Which of the following will the company most likely use? · A. Hashing · B. Tokenization · C. Encryption · D. Segmentation
· C. Encryption Don't overthink it!
$481. A network architect wants a server to have the ability to retain network availability even if one of the network switches it is connected to goes down. Which of the following should the architect implement on the server to achieve this goal? · A. RAID · B. UPS · C. NIC teaming · D. Load balancing
· C. NIC teaming
490. A systems administrator works for a local hospital and needs to ensure patient data is protected and secure. Which of the following data classifications should be used to secure patient data? · A. Private · B. Critical · C. Sensitive · D. Public
· C. Sensitive In the context of securing patient data in a hospital setting, the most appropriate data classification to use is "Sensitive." Patient data is considered sensitive information that must be protected from unauthorized access, disclosure, or alteration. It often contains personally identifiable information (PII) and protected health information (PHI), which is subject to strict privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States. Safeguarding sensitive data is crucial to maintaining patient privacy and complying with relevant data protection laws and regulations.
387. A company recently implemented a patch management policy; however, vulnerability scanners have still been flagging several hosts, even after the completion of the patch process. Which of the following is the MOST likely cause of the issue? · A. The vendor firmware lacks support. · B. Zero-day vulnerabilities are being discovered. · C. Third-party applications are not being patched. D. Code development is being outsourced
· C. Third-party applications are not being patched.
446. A user reset the password for a laptop but has been unable to log in to it since then. In addition, several unauthorized emails were sent on the user's behalf recently. The security team investigates the issue and identifies the following findings:• Firewall logs show excessive traffic from the laptop to an external site.• Unknown processes were running on the laptop.• RDP connections that appeared to be authorized were made to other network devices from the laptop.• High bandwidth utilization alerts from that user's username.Which of the following is most likely installed on the laptop? · A. Worm · B. Keylogger · C. Trojan · D. Logic bomb
· C. Trojan Multiple sources say trojan based on its behavior.
503. Which of the following can best protect against an employee inadvertently installing malware on a company system? · A. Host-based firewall · B. System isolation · C. Least privilege · D. Application allow list
· D. Application allow list
353. A network engineer and a security engineer are discussing ways to monitor network operations. Which of the following is the BEST method? · A. Disable Telnet and force SSH. · B. Establish a continuous ping. · C. Utilize an agentless monitor. · D. Enable SNMPv3 with passwords.
· D. Enable SNMPv3 with passwords.
473. A user s laptop constantly disconnects from the Wi-Fi network. Once the laptop reconnects, the user can reach the internet but cannot access shared folders or other network resources. Which of the following types of attacks is the user most likely experiencing? · A. Bluejacking · B. Jamming · C. Rogue access point · D. Evil twin
· D. Evil twin
$394. Which of the following would MOST likely be identified by a credentialed scan but would be missed by an uncredentialed scan? · A. Vulnerabilities with a CVSS score greater than 6.9. · B. Critical infrastructure vulnerabilities on non-IP protocols. · C. CVEs related to non-Microsoft systems such as printers and switches. · D. Missing patches for third-party software on Windows workstations and servers.
· D. Missing patches for third-party software on Windows workstations and servers. Credentialed scans have access to usernames and passwords. This allows the scanner to log into the target system and gather more detailed info about the systems configuration, settings, and installed software.
553. Which of the following provides a catalog of security and privacy controls related to the United States federal information systems? · A. GDPR · B. PCI DSS · C. ISO 27000 · D. NIST 800-53
· D. NIST 800-53 NIST 800-53 = US FEDERAL INFO SYSTEMS
582. An organization recently acquired an ISO 27001 certification. Which of the following would most likely be considered a benefit of this certification? · A. It allows for the sharing of digital forensics data across organizations. · B. It provides insurance in case of a data breach · C. It provides complimentary training and certification resources to IT security staff · D. It certifies the organization can work with foreign entities that require a security clearance · E. It assures customers that the organization meets security standards
· E. It assures customers that the organization meets security standards
